project-westside-mcp updated 2026-04-10Vision
A read-only remote MCP server that lets Marcus ask Claude any natural-language question about Westside Basketball data from his iPhone. The MCP connects directly to the CNPG Postgres read-replica as a marcus_readonly role and exposes a live schema catalog so Claude writes SQL dynamically — nothing is hardcoded, migrations can't silently break Marcus's tools. Deployed via the pal-e-platform pattern: Tailscale funnel, Harbor image, Woodpecker CI, ArgoCD rollout, Prometheus/Loki observability. Registered in claude.ai under westsidebasktball@gmail.com so the Claude iOS app auto-syncs the connector.
User Stories
| Key | Story | Role | Success Metric |
|---|---|---|---|
| asks-data | story-westside-mcp-asks-data | Marcus | 10/10 sample questions answered correctly from iPhone |
| safety | story-westside-mcp-safety | Lucas | Zero write-path risk; migrations can't silently break the MCP |
Architecture
- arch-domain-westside-mcp — entities: Connector, Tool, Catalog, Role, Query
- arch-dataflow-westside-mcp — Marcus asks a question → iOS → claude.ai → MCP → Postgres → answer
- arch-deployment-westside-mcp — Tailscale funnel → k3s pod → CNPG
-roreplica, observability wired
Key decisions:
- Direct Postgres, not via basketball-api. Read-only enforced at the Postgres role level.
- Connects to CNPG
-roreplica endpoint, not primary. Two-layer write protection. - Live
information_schemaintrospection (Layer 1 catalog). Semantic YAML annotations (Layer 2) added reactively only where Claude guesses wrong. - Drift-check CI compares live schema against catalog YAML — migrations can't silently break the MCP.
- Streamable HTTP + OAuth via shared
mcp-remote-authpattern (same as gmail/gcal/notion remotes). - Single-user gated to westsidebasktball@gmail.com.
Board
board-westside-mcp — the kanban for this project. 10 initial build tickets across three stages.
Status
2026-04-10: Project created. 10 backlog tickets pending /review-ticket. No code, no repos, no terraform yet.
Stages:
- Stage 0 — Discovery: schema audit + sensitive-column inventory + 10 sample questions corpus (docs only)
- Stage 1 — Hello-world remote MCP: repo scaffold, CI, pal-e-services + pal-e-deployments, ping tool, claude.ai URL registration, iPhone verification
- Stage 2 — Catalog + query: marcus_readonly CNPG role, get_catalog() tool, query(sql) tool with safety enforcement, 10-question validation
- Stage 3 (deferred): Grafana dashboard, rate limiting, alerting, runbook
- Stage 4 (deferred): semantic annotations + cross-repo drift check
Win condition: Live westside-mcp.tail5b443a.ts.net connector registered in claude.ai, Marcus uses it from his iPhone, and he can ask any natural-language question about Westside data and get a correct answer via a live schema index — zero hardcoded tables, zero manual SQL, zero write-path risk.
Milestones
- No milestones yet. First milestone will be
milestone-2026-MM-DD-stage-1-hello-world-live— Marcus pings the MCP from his iPhone.
Repos
| Repo | Platform | Role | Status |
|---|---|---|---|
| westside-mcp-remote | forgejo | MCP server code + Dockerfile + Woodpecker CI + catalog YAML | Not created |
| pal-e-services | github | Harbor project, Tailscale funnel hostname, CNPG role, k8s secret | Touched — PR pending |
| pal-e-deployments | forgejo | Kustomize overlay + ArgoCD Application | Touched — PR pending |
| mcp-remote-auth | forgejo | Shared OAuth proxy — consumed, not modified | Consumed |